Network Attackers: Where In The World 3

Network Attackers: Where In The World 3

Two previous rounds of analysis using IP geolocation with Whois (Part 1 and Part 2) revealed that 40% to 45% of network intrusion attempts arriving at my public-facing SSH port could be traced back to Chinese hackers, and 20% to 25% to attackers in Russia and Eastern Europe. The tally is now in from a third round of observations, boasting a significantly longer integration period (more than four months versus about six to seven weeks in the earlier rounds) and yielding plenty of interesting and even unexpected results.

First things first: logs do not lie, SSH Scan attacks are on the rise. Attacks occurred with an average frequency in round one of 0.583 per day; in round two there were 1.065 attacks seen per day; and in the round closing, I logged 1.417 attacks per day on average. Considering the total span of time under view as just eight short months, I would describe this escalation in the rate of a rather specialized and esoteric attack as rapid and alarming, and carrying the implication that more commonplace network attacks are likewise intensifying.

On 180 occasions between October 10, 2009 and February 13, 2010, intruders from 154 different IP addresses in 37 different counties were caught trying to gain illicit access to my server by dictionary attacking SSH service. Every one of these attackers was promptly blacklisted automatically by fail2ban. Repeat offenders numbering 16 came back for further punishment, none more frequently than our old friends at 61.129.60.23, “Shanghai Telecom Corporation EDI Branch” in Shanghai, China, familiar from being banned three times in round two – banned six times this round.

China maintained the dubious distinction of leadership position among all regions, chalking up 76 out of the 180 observed attacks or 42% share, consistent with expectations from past rounds. In fact, as the chart below illustrates, all other attack origins besides China occurred at a fraction the rate by comparison, suggesting more or less uniform or “background” frequency for their regions, leaving China dominant alone over all the world. (Better get used to that.)

Meanwhile, Russia and Eastern Europe logged an unexpectedly low share of all attack activity in light of past rounds, picking up only 15 attacks or 8% share. The same chart in earlier rounds showed 20% to 25% aggregate representation from Russia, Poland, and other satellite states of the former USSR – less pronounced than China but significantly greater than other regions. What happened to all the ex-Soviet bloc hackers that were tripping over themselves to break into my unremarkable Linux server prior to October? To tell you the truth, I don’t know. Either some factor caused this region to be spuriously overrepresented in rounds one and two, or some factor caused it to be spuriously underrepresented in round three, or the falloff is real.

China’s continued domination within the network intrusion arena should come as no surprise amid last month’s highly publicized allegations of state-sponsored electronic espionage and cyberwarfare, delivered at the hands of victimized Google. Forensics investigators purport that valuable data was bounced back to attackers through command and control servers in Illinois, Texas, and Taiwan, while Texas-based Rackspace, Inc. – from whose IP block, by the way, we were surreptitiously scanned in both rounds two and three – was specifically implicated. A malicious agent (Chinese or otherwise) that wished to mount attacks against valuable targets and dispose of their tracks after the fact would require to amass networks of such intermediate relays. The wide area network intrusion vector, unlike say, web or file-packaged attack vectors that target the endpoint, conveniently selects for systems that already have desirable open network posture and can act as relays once compromised.

Who is at risk from this hacking activity? Service providers have the most direct exposure and should think long and hard about their perimeter defenses. Weak passwords on any WAN-facing service are an open invite to compromise. The most diligently patched, up to date system will get taken down in an instant on bad password security (as in this example), though in that case the intruder probably won’t be able to gain root. Risk analysis used to be predicated upon the dollar value of data on the host – e.g., Ann’s knitting store site merited less intrusion protection than a large merchant site server or a banking web application. In the new threat environment where every shell compromise might well be one hop away from a national security breach, can system administrators continue to be so lax?